tag:blogger.com,1999:blog-23188863725680845672015-03-01T12:51:52.573+11:00The Grey CornerA blog focused on the related subjects of software exploitation, penetration testing and computer incident detection and response.Stephen Bradshawhttp://www.blogger.com/profile/17048881513297639889noreply@blogger.comBlogger46125tag:blogger.com,1999:blog-2318886372568084567.post-61171809010785657192014-08-23T15:37:00.003+10:002014-08-23T16:53:19.380+10:00hlextend Pure Python hash length extension module
Introduction
Ive been spending some time recently looking at various types of cryptographic vulnerabilities, trying to work out more efficient ways of identifying and exploiting them during penetration tests.
Hash length extension attacks are one of the vulnerability classes I have been looking at, and while I'm aware of and have played round with other tools such as Hashpump and Stephen Bradshawhttp://www.blogger.com/profile/17048881513297639889noreply@blogger.com0tag:blogger.com,1999:blog-2318886372568084567.post-48015818005883884182014-05-04T16:58:00.000+10:002014-05-04T16:58:52.165+10:00Python gdb Disassembly Extension 1.20Ive released version 1.20 of my Python gdb Debugging Extensions, which I have now renamed to pygdbdis.
The introductory page for the extensions is here if you want to refresh your memory on what it does.
For a basic overview: The extensions are intended for those of us who use gdb to debug applications without the source - e.g. for reverse engineering, exploit development, etc. They contain a Stephen Bradshawhttp://www.blogger.com/profile/17048881513297639889noreply@blogger.com2tag:blogger.com,1999:blog-2318886372568084567.post-50288480056385041652014-03-23T14:16:00.000+11:002014-03-23T14:17:00.223+11:00GDB Extensions 1.10Here's a new version (1.10) of my gdb extensions. See the original post
here to read about what they are and what they do.
Changes:
Many bug fixes (oh so many bugfixes)
The fifo files for the fifodisplay command have been moved off to the /tmp/ directory instead of the present working directory. There's a variable near the top of the script you can change to move this elsewhere if desired
Stephen Bradshawhttp://www.blogger.com/profile/17048881513297639889noreply@blogger.com0tag:blogger.com,1999:blog-2318886372568084567.post-11007655577603219682013-10-31T20:24:00.000+11:002013-11-01T22:04:27.678+11:00Omlette Egghunter Shellcode
Introduction
When I first heard about omlette egghunter shellcode I was pretty keen to give it a try, but did not have the opportunity until after I heard that under some unknown circumstances it "doesn't work" (see the note here). At that point I thought Id have a try at writing some omlette egghunter shellcode myself. Then about three years passed until I finally got around to doing it.
Stephen Bradshawhttp://www.blogger.com/profile/17048881513297639889noreply@blogger.com0tag:blogger.com,1999:blog-2318886372568084567.post-69213708935083829092013-10-31T17:02:00.000+11:002013-10-31T17:02:21.410+11:00Welcome to 2006 - Im now on TwitterAfter a long period of persistently avoiding social media, I have now moved (somewhat) into the Web 2.0 age and am now on Twitter, where I semi-regularly dispense 140 character packages of fun and frivolity.
So, if you like seeing pictures of cats dressed up as people, feel free to follow me - there's a button over on the side panel, or you can look me up by my Twitter name @SM_Bradshaw.
Stephen Bradshawhttp://www.blogger.com/profile/17048881513297639889noreply@blogger.com0tag:blogger.com,1999:blog-2318886372568084567.post-87421316007524306792013-10-20T19:49:00.000+11:002014-03-23T14:42:49.217+11:00My Python gdb Extensions
Introduction
If you started to learn reverse engineering and exploit development on 32 bit Windows systems as I did, you were probably very unimpressed when you first attempted to try out your skills on *nix machines and started (trying to) use gdb. I know I was.
Gdb is quite powerful, but it seems to be focused more on debugging applications with source and debug symbols. While its certainlyStephen Bradshawhttp://www.blogger.com/profile/17048881513297639889noreply@blogger.com4tag:blogger.com,1999:blog-2318886372568084567.post-31964029494290723552013-02-16T20:38:00.000+11:002013-02-16T20:38:38.276+11:00I is HaXoRIt's official. My own entry in the Hackers Database and everything!
What is the Hackers Database? From the FAQ:
What is the main goal of the Hacker Database? (Known as the HDB)
The HDB is a community oriented database intended to document hackers, phreakers, and people who have influenced the realm of computer security. One major goal is to get factual documentation concerning people whoStephen Bradshawhttp://www.blogger.com/profile/17048881513297639889noreply@blogger.com0tag:blogger.com,1999:blog-2318886372568084567.post-90373106618615808132012-12-08T22:18:00.002+11:002013-11-22T17:51:38.508+11:00DEP Bypass Tutorial for VulnserverWhen Vulnserver was originally released I did say at the time that I would release a tutorial that covers the process of bypassing DEP. That was of course just before I started in a new job and my blog posting regularity pretty much dropped off the cliff. Well the good news (for me, and for you too perhaps) is that now I don't have to write that tutorial, because someone else has already done Stephen Bradshawhttp://www.blogger.com/profile/17048881513297639889noreply@blogger.com8tag:blogger.com,1999:blog-2318886372568084567.post-79217852087434650292012-09-01T14:17:00.000+10:002012-09-01T14:18:44.154+10:00Article in Pentest Magazine - Building a pentest system using UbuntuIve got an article in the latest edition of Pentest Magazine about setting up a pentesting system using Ubuntu Linux. This covers the actual process I use at work when setting up a pentesting box.
Read more about this issue here.
There were a few bits and pieces I wrote but left out of the article because of space reasons, so I will be posting them here on my blog soonish.
Stephen Bradshawhttp://www.blogger.com/profile/17048881513297639889noreply@blogger.com2tag:blogger.com,1999:blog-2318886372568084567.post-18895896028651807732011-12-03T10:45:00.001+11:002012-09-01T14:20:42.182+10:00Restricted Character Set Buffer Overflow Tutorial for VulnserverThe title says it all.
You can find the tutorial here.Stephen Bradshawhttp://www.blogger.com/profile/17048881513297639889noreply@blogger.com0tag:blogger.com,1999:blog-2318886372568084567.post-50423776714491164272011-10-20T17:27:00.000+11:002012-09-01T14:20:42.189+10:00Egghunter based exploit for VulnserverA link to the most recent entry in the Vulnserver series is provided below. Its at the InfoSec Institute site once more.
Link
Hopefully the next part in the series will be coming up soon, keep watching this space.Stephen Bradshawhttp://www.blogger.com/profile/17048881513297639889noreply@blogger.com1tag:blogger.com,1999:blog-2318886372568084567.post-68949544058301799482011-06-25T13:39:00.000+10:002012-09-01T14:20:42.194+10:00SEH Based Buffer Overflow Tutorial for VulnserverI wrote this tutorial on exploiting an SEH based vulnerability in Vulnserver a while back and am just getting around to posting a link for it here now that some formatting issues have been sorted. Its at the InfoSec Institute site once more.
Link
Hopefully the next part in the series will be coming up soon, keep watching this space.Stephen Bradshawhttp://www.blogger.com/profile/17048881513297639889noreply@blogger.com0tag:blogger.com,1999:blog-2318886372568084567.post-61212150023620283182011-05-21T22:34:00.004+10:002012-08-15T19:33:24.983+10:00Running Dradis in Apache on UbuntuEver been running Dradis and noticed dreadful, unworkable performance problems? I have, and to fix these I have often resorted to running Dradis on Apache, which seems to get things working nicely once more. The problem with doing this however, is that I cant find an online guide that actually works for getting this setup.
The existing ones get you partway there, but still result in a broken Stephen Bradshawhttp://www.blogger.com/profile/17048881513297639889noreply@blogger.com3tag:blogger.com,1999:blog-2318886372568084567.post-32015330177465074582011-04-25T00:10:00.001+10:002012-08-25T11:06:18.890+10:00High Level Windows Shellcode Development MethodsHeres a super quick entry covering some high level methods you can use when developing Windows shellcode.
The methods are:
Using the memory editing features of a debugger
Using a c compiler
Using an assembler
Using a debugger
Writing shellcode using the code editing features of a debugger like OllyDbg is best suited to really simple (approximately <20 byte) shellcode, or for making small Stephen Bradshawhttp://www.blogger.com/profile/17048881513297639889noreply@blogger.com0tag:blogger.com,1999:blog-2318886372568084567.post-36269013594356533742011-03-11T17:29:00.000+11:002012-09-01T14:20:42.187+10:00Simple Stack Based Buffer Overflow Tutorial for VulnserverI have just written a tutorial for writing an exploit for the first and simplest exploitable vulnerability in Vulnserver. As with previous Vulnserver related articles, you can read it at the InfoSec Institute site.
Links below:
Part 1
Part 2
Part 3
Enjoy!Stephen Bradshawhttp://www.blogger.com/profile/17048881513297639889noreply@blogger.com3tag:blogger.com,1999:blog-2318886372568084567.post-24095239199833541442011-03-02T17:26:00.000+11:002012-09-01T14:20:42.185+10:00Exploit Writers Debugging TutorialI have written a debugging tutorial specifically for exploit writers, which you can read at the InfoSec Institute resources site. It covers all of the debugging skills needed to use OllyDbg for the development of Basic to Intermediate exploits, and is intended as a lead in to the tutorials I am planning on how to exploit each of the vulnerabilities in Vulnserver.
Links below:
Part 1
Part 2
Stephen Bradshawhttp://www.blogger.com/profile/17048881513297639889noreply@blogger.com4tag:blogger.com,1999:blog-2318886372568084567.post-60586986195393226942010-12-25T12:33:00.002+11:002012-09-01T14:20:42.191+10:00An Introduction to Fuzzing: Using SPIKE to find vulnerabilities in VulnserverI have written an article on how to use the SPIKE fuzzer to find vulnerabilities in Vulnserver, which you can read at the InfoSec Institute site.
Links are below.
Part 1: Introduction to Fuzzing
Part 2: Fuzzer Automation with SPIKE
You can download some of the scripts used in the article below:
fuzzer.pl
trun.pl
gmon.pl
Enjoy!Stephen Bradshawhttp://www.blogger.com/profile/17048881513297639889noreply@blogger.com0tag:blogger.com,1999:blog-2318886372568084567.post-65433041430189081072010-12-15T11:29:00.000+11:002010-12-15T11:29:18.410+11:00Introducing VulnserverVulnserver
I have just released a program named Vulnserver - a Windows based threaded TCP server application that is designed to be exploited.
Why did I write this?
I am (slowly, and when not occupied with other things) teaching myself to program in C, and this seemed like a good way to further develop my C programming skills. This gave me an opportunity to see how software is exploited Stephen Bradshawhttp://www.blogger.com/profile/17048881513297639889noreply@blogger.com8tag:blogger.com,1999:blog-2318886372568084567.post-20351258329498830142010-11-10T18:09:00.000+11:002010-12-15T14:04:58.488+11:00Version 0.4 of SSL Testing Tool ssltest.plNew version, fixing a bug with the list command and resolving an issue from Skoyern relating to SSLv2 compliance with PCI DSS.
Download below - this link will always point to the latest version:
ssltest.pl
Stephen Bradshawhttp://www.blogger.com/profile/17048881513297639889noreply@blogger.com0tag:blogger.com,1999:blog-2318886372568084567.post-89238319058754071772010-11-09T20:43:00.000+11:002010-12-15T14:04:58.488+11:00Version 0.3 of SSL Testing Tool ssltest.plI have released a new version of ssltest.pl - version 0.3. This new version has two changes from version 0.2:
The tool now checks to see that it can make a connection to the provided host and port before it performs all of its SSL tests. This will allow you to differentiate a non listening socket or non working network connection from an SSL service that supports no ciphers (mostly there to Stephen Bradshawhttp://www.blogger.com/profile/17048881513297639889noreply@blogger.com4tag:blogger.com,1999:blog-2318886372568084567.post-15251822263168497372010-10-21T18:20:00.001+11:002010-10-21T18:28:09.261+11:00Download and Execute Script Shellcode on Windows 7I have just released a new version of my Download and Execute Script shellcode which now works on Windows 7.
Essentially, the previous method I was using to find the base address of kernel32 was not Windows 7 compatible, so I have now started using this method discovered by SkyLined.
Taking into account some other "efficient-ising" I did while I was making this change, this comes in at only (Stephen Bradshawhttp://www.blogger.com/profile/17048881513297639889noreply@blogger.com12tag:blogger.com,1999:blog-2318886372568084567.post-46702582739826902912010-08-22T13:50:00.003+10:002010-10-28T17:42:43.653+11:00Bypassing Restrictive Proxies Part 2, Modified Windows Shell via Metasploit PassiveXIntroduction
When I first posted my Download and Execute Script shellcode a few months back, I mentioned that I had used it to obtain a shell in a restrictive proxy environment, and that I would discuss the process in a future blog entry. Well this blog entry has been a long time coming, mostly because I couldn't think of the right way to present the code that I used. Since use of this method Stephen Bradshawhttp://www.blogger.com/profile/17048881513297639889noreply@blogger.com3tag:blogger.com,1999:blog-2318886372568084567.post-22132815718522615592010-08-12T21:02:00.000+10:002010-12-15T14:04:58.489+11:00Version 0.2 of SSL Testing Tool ssltest.plI have just released a new version (0.2) of ssltest.pl.
This newest set of changes to the tool still don't include some of the things on my future wishlist, as mentioned in the previous post, but instead came about when I attempted to use the tool from a Windows system and found it didn't work so well.
The changes in version 0.2 were essentially focused on getting the same functionality from Stephen Bradshawhttp://www.blogger.com/profile/17048881513297639889noreply@blogger.com2tag:blogger.com,1999:blog-2318886372568084567.post-18875836595649992592010-07-27T21:18:00.005+10:002010-12-15T14:04:58.490+11:00SSL Testing Tool ssltest.plUpdate: I have just updated this tool to version 0.1.1 to resolve a minor bug (thanks Gitsnik) and a few cosmetic issues.
I have used a number of different tools to check cipher support on SSL Servers, including SSLDigger, sslthing, Cryptonark, Openssl and even a few web based solutions. Each tool has its good and bad points, but recently when trying to confirm that a particular badly behaved Stephen Bradshawhttp://www.blogger.com/profile/17048881513297639889noreply@blogger.com14tag:blogger.com,1999:blog-2318886372568084567.post-66273442619386076502010-06-19T00:43:00.001+10:002010-06-29T20:32:46.772+10:00Bypassing Restrictive Proxies Part 1, Encoded Executables and DNS TunnelingUses for Download and Execute Script Shellcode
A little while back I posted my Download and Execute Script shellcode and mentioned that it could be used in bypassing restrictive proxy servers. In this post I will give some quick examples of how you can actually do that.
The example scenarios I will describe are as follows, and involve having the script that is downloaded and executed:
write Stephen Bradshawhttp://www.blogger.com/profile/17048881513297639889noreply@blogger.com8